Ransomware Attacks Rise 50% in 2025 but Payments Slip

What to Know

8,000 ransomware leak events were recorded in 2025, a 50% jump from the prior year, according to Chainalysis
$820 million in on-chain ransom payments were collected in 2025, an 8% decline from 2024 totals
Dark web victim-access prices dropped from $1,427 in early 2023 to $439 by the start of 2026
CertiK reported $370.3 million in crypto stolen through exploits and scams in January 2026 alone

Ransomware attacks climbed 50% in 2025 even as total on-chain payments to hackers declined, according to a new annual report from blockchain analytics firm Chainalysis published on Wednesday. The firm recorded nearly 8,000 leak events during the year, yet ransom payments totaled just $820 million, reflecting an 8% drop compared to 2024.

Hackers Shift Toward Smaller Targets

Chainalysis attributed the payment decline to heightened regulatory scrutiny, enforcement actions aimed at laundering network infrastructure, and a growing refusal by large organizations to meet ransom demands. These factors collectively forced attackers to pivot away from headline-grabbing intrusions and toward small and medium-sized enterprises that tend to settle faster.

eCrime.ch founder Corsin Camichel, who contributed to the Chainalysis report, noted that the strategic shift reflects a calculated bet by ransomware gangs. Targeting smaller entities means lower individual payouts but faster collection cycles with fewer complications from government intervention.

We're seeing a structural shift in targeting: fewer large, headline-grabbing intrusions and more volume focused on small and medium enterprises. The assumption is simple -- smaller victims pay faster.
— Corsin Camichel, Founder of eCrime.ch

Why Are Ransomware Attacks Getting Cheaper?

The surge in attack volume stems largely from a collapse in the cost of launching ransomware campaigns. The average price for victim access on the dark web plunged from $1,427 at the start of 2023 to just $439 by early 2026, according to Chainalysis data. Cheap ransomware strains flooding underground markets, combined with AI-assisted tooling and a proliferation of infostealer logs, have dramatically lowered the barrier to entry for cybercriminals worldwide.

We are seeing industrialized access pipelines, AI-assisted tooling, and a proliferation of infostealer logs that lower the barrier to entry, which has resulted in an oversupply of cheap but operationally constrained inventory that floods the market and depresses pricing.
— Chainalysis Report

Crypto Losses Mount in Early 2026

Although ransomware payments dipped in 2025, the broader crypto threat landscape remains severe heading into 2026. Cybersecurity firm CertiK found that $370.3 million in cryptocurrency was stolen through exploits and scams during January alone, with phishing scams responsible for $311.3 million of the total.

The CertiK data highlights that address poisoning and sophisticated phishing techniques continue to pose the most significant financial risk to crypto holders, outpacing even traditional ransomware as a theft vector in early 2026.

What This Means Going Forward

The Chainalysis findings underscore a paradox in crypto-related crime: ransomware operators are launching more attacks than ever, but earning less per campaign. Heightened law enforcement coordination and corporate reluctance to pay have eroded profitability, even as cheap tooling and AI integrations keep the total number of incidents climbing. For organizations of all sizes, the report serves as a warning that the ransomware threat is evolving rather than receding.